The Cybersecurity & Infrastructure Security Agency (CISA) published a final version of the Secure Software Development Attestation Common Form. Federal agencies will require contracted software producers to sign the form, self-attesting that they comply with secure software practices derived from the NIST Secure Software Development Framework (SSDF).

The Office of Management and Budget (OMB) directed CISA to create the Form in a September 2022 memo, pursuant to a requirement in the May 2021 Executive Order on Improving the Nation’s Cybersecurity (E.O. 14028). Since then, CISA has released two drafts of the form, which the Coalition commented on in June 2023 and January 2024.

In the most recent version, CISA made several substantive changes, some of which align with the comments offered by the Cybersecurity Coalition. Such changes include:

• Allowing a designee to sign the Form - In earlier iterations, the form required either a Chief Executive Officer (CEO) or Chief Operating Officer (COO) to sign. The Coalition argued that this requirement would pose an undue burden on software producers, especially on larger vendors that would need to fill out multiple forms because of the multiple products sold to the government. In the final version, CISA updated the requirement, enabling either a CEO or a designee to sign. To be eligible, a designee must be “an employee of the software producer” and have “the authority to bind the corporation.”
• Clarifying the requirement to notify “all impacted” agencies of changes - Earlier versions of the form required software producers to attest that they would “notify all impacted agencies if conformance to any element of [their] attestation [was] no longer valid.” In our comments, the Coalition argued that software producers could not feasibly notify “all impacted agencies” since they may not be aware of how the federal government uses their products. For example, federal agencies may use software to provide information or shared services to other agencies without the vendor’s knowledge. To remedy this, CISA changed the language so a vendor must notify agencies where it has previously submitted a self-attestation form.
• Adding an exemption for “third-party open source and proprietary components” - CISA designates certain categories of software and software components that do not need to be covered by a self-attestation. In the final version of the form, CISA added a new exemption for “third-party open source and proprietary components that are incorporated into the software end product used by the agency.” Existing categories that already had an exemption included:

1. “Software developed by federal agencies.”
2. “Open-source software that is freely and directly obtained directly by a federal agency.”
3. “Software that is freely obtained and publicly available.”

Moving forward, CISA will develop a repository for online submission of the form. CISA expects that the repository will be available for software providers to use in late March.

‍